Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Correlating events over specific days within a time window

I'm trying to create correlate events that have taken place on specific times/dates.

As an example:

We know a service has gone down around about 25th Aug at 10:05 and again on the 1st Sep 9:45

We believe that it happened around +/- 10 minutes of the approximate time (nothing was officially recorded, hence the best guess times)

We want to know what computer(s) the service went down on

Our base search is the below but we're wondering if we can build on this (or if there is a better approach)sourcetype=ServiceSource EventTime="01.09.2013 10:0*" [search sourcetype=ServiceSource EventTime="25.08.2013 09:4*" | top limit=10 ComputerName | fields + ComputerName] | top limit=10 ComputerName

People who like this

*NOTE: We could search by errors but we'd like to narrow down the time window rather than eliminate errors. Given the number of servers involved, reducing the search space is seen at the logical first step.